Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1669
Views
2
Helpful
3
Replies

Expired System Certificate Cisco ISE

Go to solution
patrickbyrne456305724
Level 1
Level 1

‎05-31-2023 04:22 AM

Hi there,

We have a bunch of system Certificates expiring ASAP in a PAN failover depoyment (Primary & Secondary)

Can you aid in the correct steps to carry out this work. Can you actually import the new certs whilst the others are active and then just delete them when new certs are active?

patrickbyrne456305724_0-1685532037981.png

I look forward to hearing back

Preview file
162 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-31-2023 04:30 AM

@patrickbyrne456305724 replacing the "admin" certificate will result in restarting the ISE services. Replacing the other certificates does not result in restarting the services. Obviously for the EAP certificate you need to ensure the clients trust the ISE certificate, so use the same CA to issue the certificate and you should be fine.

Here is a cisco guide to renew ISE certificates - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

Once you've replaced the certificates and the old certificate is not in use, you can safely delete the certificate.

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-31-2023 04:30 AM

@patrickbyrne456305724 replacing the "admin" certificate will result in restarting the ISE services. Replacing the other certificates does not result in restarting the services. Obviously for the EAP certificate you need to ensure the clients trust the ISE certificate, so use the same CA to issue the certificate and you should be fine.

Here is a cisco guide to renew ISE certificates - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

Once you've replaced the certificates and the old certificate is not in use, you can safely delete the certificate.

 

Go to solution
patrickbyrne456305724
Level 1
Level 1
In response to Rob Ingram

‎05-31-2023 07:24 AM

Many thanks for response..If you add/import the new Certs to the Primary ISE node do they then automatically get onto the Secondary. Or, would you need to import onto Secondary first etc?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to patrickbyrne456305724

‎05-31-2023 07:57 AM

@patrickbyrne456305724

Bind a CA-Signed Certificate to a Certificate Signing Request

Step 7

(Optional) Check the services for which this certificate will be used in the Usage area.

This information is autopopulated if you have enabled the Usage option while generating the certificate signing request. You can also choose to edit the certificate at a later time to specify the usage.

Changing the Admin usage certificate on a primary PAN restarts the services on all the other nodes. The system restarts one node at a time, after the primary PAN restarts.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_manage_certificates.html#ID776

Only the admin certificate initiates a restart of the ISE services.

 

Customers Also Viewed These Support Documents